Hi,
I have created table with host and grouped IP address the host will have public and private IP address
So my table look like this
Host IP id
Host A 10.1.1.1 21
172.1.1.1
i have ip range to identify the public ip.
i need to create another field which if the range is match mean the result will be yes if not no
i have used this query for the field
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")
but this eval only work on field which have 1 IP.
in my group ip field, its not working.
Please assist on this.
Thank you
If you already have two fields with the IP addresses, you can compare them prior to the mvappend
index=a or sourcetype=b
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP1) , "Yes" , cidrmatch(172.1.1.0/24" , IP2) , "Yes" , 1==1, "No")
| eval ip=mvappend(IP1, IP2)
| fields - IP1 IP2
By group field, I assume you are referring to a multi-value field? If so, you could expand your events by the multi-value field so that each part can be evaluated separately
| mvexpand IP
ok, thank you for you reply. but if using mvexpand, the ip will splited by host.
is there any work around to not split the host?
if i split the ip for example like
host ip1 ip2
is there any query that can detect the internet facing by search across all the ip field
What do you mean split by host? Perhaps if you share what your events actually look like (anonymised of course), we might be able to figure out what it is you are trying to do.
if using mvexpand, my result is like this:
Host IP Internet Facing
Host A 10.1.1.1 No
Host A 172. 1.1.1 Yes
for the ip field, i have combined from 2 sources
my table should look like this:
Host IP Internet Facing
Host A 10.1.1.1 Yes
172. 1.1.1
Below is my sample query
index=a or sourcetype=b
|eval ip=mvappend(IP1, IP2)
|stats value(ip) as ip by host
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")
I need the result to look like the second example table above, which does not splitting the host.
If you already have two fields with the IP addresses, you can compare them prior to the mvappend
index=a or sourcetype=b
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP1) , "Yes" , cidrmatch(172.1.1.0/24" , IP2) , "Yes" , 1==1, "No")
| eval ip=mvappend(IP1, IP2)
| fields - IP1 IP2
Owh, thank you very much. it work perfectly as needed.